Apache SSL Cipher Suites: Perfect Forward Secrecy

I was interested to tune my https sites with Apache to support only cipher suites that use the ephemeral Diffie-Hellman key exchange = perfect forward secrecy. But after searching a while through the Internet, only SSLCipherSuite with a few concrete algorithms were presented, while I wanted to use a more generic option such as known from “!MD5”. Here it is:

Security (not backward compatibility)

I wanted to use cipher suites with only ephemeral Diffie-Hellman key exchange. (Note that the DH exchange without ephemeral does NOT provide perfect forward secrecy!) Furthermore, I only wanted to use strong ciphers, i.e., AES, and only strong hash algorithms, i.e., not MD5. I was not interested in supporting every old Internet Explorer, and so on. I focused merely on security.

–> This is the Cipher Suite I am using for all my Apache servers:

1

SSLCipherSuite HIGH:!kRSA:!kDHr:!kDHd:!kSRP:!aNULL:!3DES:!MD5

That is:

All suites under the HIGH classification

But without the key exchange algorithms of RSA, DH with RSA key, DH with DSA key, and Secure Remote Password (refer to SSLCipherSuite Directive). –> Only ephemeral Diffie-Hellman!

No NULL authentication

No 3DES

No MD5

(Additional, I am always disabling the SSLv3 protocol on all installations:SSLProtocol all -SSLv3 .)